sound: GPF in snd_timer_user_params

19 views
Skip to first unread message

Dmitry Vyukov

unread,
Jan 13, 2016, 10:07:52 AM1/13/16
to Jaroslav Kysela, Takashi Iwai, Mark Brown, Jie Yang, alsa-...@alsa-project.org, LKML, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin, Eric Dumazet
Hello,

The following program triggers GPF in snd_timer_user_params:

// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <unistd.h>
#include <sys/syscall.h>
#include <string.h>
#include <stdint.h>
#include <pthread.h>

long r[108];

void *thr(void *arg)
{
switch ((long)arg) {
case 0:
r[0] = syscall(SYS_mmap, 0x20000000ul, 0xf000ul,
0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
break;
case 1:
memcpy((void*)0x20000990,
"\x2f\x64\x65\x76\x2f\x73\x6e\x64\x2f\x74\x69\x6d\x65\x72", 14);
r[2] = syscall(SYS_open, 0x20000990ul, 0x40ul, 0x0ul, 0, 0, 0);
break;
case 2:
r[3] = syscall(SYS_ioctl, r[2], 0x54a0ul, 0, 0, 0, 0);
break;
case 3:
*(uint32_t*)0x20000000 = (uint32_t)0x1;
*(uint32_t*)0x20000004 = (uint32_t)0x7;
*(uint32_t*)0x20000008 = (uint32_t)0x3;
*(uint32_t*)0x2000000c = (uint32_t)0x0;
*(uint32_t*)0x20000010 = (uint32_t)0x0;
*(uint8_t*)0x20000014 = (uint8_t)0x0;
*(uint8_t*)0x20000015 = (uint8_t)0x0;
*(uint8_t*)0x20000016 = (uint8_t)0x0;
*(uint8_t*)0x20000017 = (uint8_t)0x0;
*(uint8_t*)0x20000018 = (uint8_t)0x0;
*(uint8_t*)0x20000019 = (uint8_t)0x0;
*(uint8_t*)0x2000001a = (uint8_t)0x0;
*(uint8_t*)0x2000001b = (uint8_t)0x0;
*(uint8_t*)0x2000001c = (uint8_t)0x0;
*(uint8_t*)0x2000001d = (uint8_t)0x0;
*(uint8_t*)0x2000001e = (uint8_t)0x0;
*(uint8_t*)0x2000001f = (uint8_t)0x0;
*(uint8_t*)0x20000020 = (uint8_t)0x0;
*(uint8_t*)0x20000021 = (uint8_t)0x0;
*(uint8_t*)0x20000022 = (uint8_t)0x0;
*(uint8_t*)0x20000023 = (uint8_t)0x0;
*(uint8_t*)0x20000024 = (uint8_t)0x0;
*(uint8_t*)0x20000025 = (uint8_t)0x0;
*(uint8_t*)0x20000026 = (uint8_t)0x0;
*(uint8_t*)0x20000027 = (uint8_t)0x0;
*(uint8_t*)0x20000028 = (uint8_t)0x0;
*(uint8_t*)0x20000029 = (uint8_t)0x0;
*(uint8_t*)0x2000002a = (uint8_t)0x0;
*(uint8_t*)0x2000002b = (uint8_t)0x0;
*(uint8_t*)0x2000002c = (uint8_t)0x0;
*(uint8_t*)0x2000002d = (uint8_t)0x0;
*(uint8_t*)0x2000002e = (uint8_t)0x0;
*(uint8_t*)0x2000002f = (uint8_t)0x0;
*(uint8_t*)0x20000030 = (uint8_t)0x0;
*(uint8_t*)0x20000031 = (uint8_t)0x0;
*(uint8_t*)0x20000032 = (uint8_t)0x0;
*(uint8_t*)0x20000033 = (uint8_t)0x0;
r[41] = syscall(SYS_ioctl, r[2], 0x40345410ul,
0x20000000ul, 0, 0, 0);
break;
case 4:
*(uint32_t*)0x20005731 = (uint32_t)0x5;
*(uint32_t*)0x20005735 = (uint32_t)0x7;
*(uint32_t*)0x20005739 = (uint32_t)0x0;
*(uint32_t*)0x2000573d = (uint32_t)0x0;
*(uint32_t*)0x20005741 = (uint32_t)0x5;
*(uint8_t*)0x20005745 = (uint8_t)0x0;
*(uint8_t*)0x20005746 = (uint8_t)0x0;
*(uint8_t*)0x20005747 = (uint8_t)0x0;
*(uint8_t*)0x20005748 = (uint8_t)0x0;
*(uint8_t*)0x20005749 = (uint8_t)0x0;
*(uint8_t*)0x2000574a = (uint8_t)0x0;
*(uint8_t*)0x2000574b = (uint8_t)0x0;
*(uint8_t*)0x2000574c = (uint8_t)0x0;
*(uint8_t*)0x2000574d = (uint8_t)0x0;
*(uint8_t*)0x2000574e = (uint8_t)0x0;
*(uint8_t*)0x2000574f = (uint8_t)0x0;
*(uint8_t*)0x20005750 = (uint8_t)0x0;
*(uint8_t*)0x20005751 = (uint8_t)0x0;
*(uint8_t*)0x20005752 = (uint8_t)0x0;
*(uint8_t*)0x20005753 = (uint8_t)0x0;
*(uint8_t*)0x20005754 = (uint8_t)0x0;
*(uint8_t*)0x20005755 = (uint8_t)0x0;
*(uint8_t*)0x20005756 = (uint8_t)0x0;
*(uint8_t*)0x20005757 = (uint8_t)0x0;
*(uint8_t*)0x20005758 = (uint8_t)0x0;
*(uint8_t*)0x20005759 = (uint8_t)0x0;
*(uint8_t*)0x2000575a = (uint8_t)0x0;
*(uint8_t*)0x2000575b = (uint8_t)0x0;
*(uint8_t*)0x2000575c = (uint8_t)0x0;
*(uint8_t*)0x2000575d = (uint8_t)0x0;
*(uint8_t*)0x2000575e = (uint8_t)0x0;
*(uint8_t*)0x2000575f = (uint8_t)0x0;
*(uint8_t*)0x20005760 = (uint8_t)0x0;
*(uint8_t*)0x20005761 = (uint8_t)0x0;
*(uint8_t*)0x20005762 = (uint8_t)0x0;
*(uint8_t*)0x20005763 = (uint8_t)0x0;
*(uint8_t*)0x20005764 = (uint8_t)0x0;
*(uint8_t*)0x20005765 = (uint8_t)0x0;
*(uint8_t*)0x20005766 = (uint8_t)0x0;
*(uint8_t*)0x20005767 = (uint8_t)0x0;
*(uint8_t*)0x20005768 = (uint8_t)0x0;
*(uint8_t*)0x20005769 = (uint8_t)0x0;
*(uint8_t*)0x2000576a = (uint8_t)0x0;
*(uint8_t*)0x2000576b = (uint8_t)0x0;
*(uint8_t*)0x2000576c = (uint8_t)0x0;
*(uint8_t*)0x2000576d = (uint8_t)0x0;
*(uint8_t*)0x2000576e = (uint8_t)0x0;
*(uint8_t*)0x2000576f = (uint8_t)0x0;
*(uint8_t*)0x20005770 = (uint8_t)0x0;
*(uint8_t*)0x20005771 = (uint8_t)0x0;
*(uint8_t*)0x20005772 = (uint8_t)0x0;
*(uint8_t*)0x20005773 = (uint8_t)0x0;
*(uint8_t*)0x20005774 = (uint8_t)0x0;
*(uint8_t*)0x20005775 = (uint8_t)0x0;
*(uint8_t*)0x20005776 = (uint8_t)0x0;
*(uint8_t*)0x20005777 = (uint8_t)0x0;
*(uint8_t*)0x20005778 = (uint8_t)0x0;
*(uint8_t*)0x20005779 = (uint8_t)0x0;
*(uint8_t*)0x2000577a = (uint8_t)0x0;
*(uint8_t*)0x2000577b = (uint8_t)0x0;
*(uint8_t*)0x2000577c = (uint8_t)0x0;
*(uint8_t*)0x2000577d = (uint8_t)0x0;
*(uint8_t*)0x2000577e = (uint8_t)0x0;
*(uint8_t*)0x2000577f = (uint8_t)0x0;
*(uint8_t*)0x20005780 = (uint8_t)0x0;
r[107] = syscall(SYS_ioctl, r[2], 0x40505412ul,
0x20005731ul, 0, 0, 0);
break;
}
return 0;
}

int main()
{
long i;
pthread_t th[5];

memset(r, -1, sizeof(r));
for (i = 0; i < 5; i++) {
pthread_create(&th[i], 0, thr, (void*)i);
usleep(10000);
}
for (i = 0; i < 5; i++) {
pthread_create(&th[i], 0, thr, (void*)i);
if (i%2==0)
usleep(10000);
}
usleep(100000);
return 0;
}


kasan: GPF could be caused by NULL-ptr deref or user memory
accessgeneral protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
Modules linked in:
CPU: 3 PID: 6811 Comm: syz-executor Not tainted 4.4.0+ #240
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff880033ca97c0 ti: ffff8800337b8000 task.ti: ffff8800337b8000
RIP: 0010:[<ffffffff84ec20fb>] [<ffffffff84ec20fb>]
snd_timer_user_params.isra.17+0x5fb/0x9f0
RSP: 0018:ffff8800337bf9a0 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff88003578c000 RCX: ffff880033ca97c0
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff88003578c030
RBP: ffff8800337bfad0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff100066f7f39
R13: ffff8800337bfaa8 R14: 0000000000000000 R15: 0000000020005731
FS: 00007fd5971aa700(0000) GS:ffff88006d700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000020000990 CR3: 0000000063509000 CR4: 00000000000006e0
Stack:
dffffc0000000000 ffffffff814ef860 ffff8800337bfbc0 ffff88003607c508
ffff8800337bfa28 0000000041b58ab3 ffffffff873dff68 ffffffff84ec1b00
ffffffff00000000 0000000000000000 1ffff100067952f9 ffff880033ca97c0
Call Trace:
[<ffffffff84ec51ca>] snd_timer_user_ioctl+0x163a/0x2540 sound/core/timer.c:1813
[< inline >] vfs_ioctl fs/ioctl.c:43
[<ffffffff817cbd3c>] do_vfs_ioctl+0x18c/0xfa0 fs/ioctl.c:674
[< inline >] SYSC_ioctl fs/ioctl.c:689
[<ffffffff817ccbdf>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:680
[<ffffffff86272ff6>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
Code: 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 60 03 00
00 4c 8b 73 30 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <0f>
b6 14 02 4c 89 f0 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85
RIP [<ffffffff84ec20fb>] snd_timer_user_params.isra.17+0x5fb/0x9f0
sound/core/timer.c:1680
RSP <ffff8800337bf9a0>
---[ end trace 34f31d6e8ce26f6b ]---


On commit 67990608c8b95d2b8ccc29932376ae73d5818727 (Jan 12).
Reply all
Reply to author
Forward
0 new messages